The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지

Design and Analysis of Role-based Security Management Model for Policy-based Security Management in SNMPv3 Network

SNMPv3 통신망의 정책기반 보안관리를 위한 역할기반 보안관리 모델의 설계 및 분석

  • 주광로 (서강정보대학 컴퓨터정보과) ;
  • 이형호 (원광대학교 정보·전자상거래 학부) ;
  • 노봉남 (전남대학교 컴퓨터정보학부)
  • Published : 2001.10.01
Download PDF
⟨ Previous Next ⟩

Abstract

Policy-Based Network Management (PBNM) architecture is to meet various needs of network users and to provide effective management facilities in distributed and large scale networks to network managers. In PBNM, network managers perform network management operations by stipulating a set of rules rather than control each network component. On the other hand, providing security services such as authentication, privacy of messages as well as a new flexible and extensible administration framework, SNMPv3 enables network managers to monitor and control the operation of network components more secure way than ever before. Despite of its enhanced security services, SNMPv3 has difficulties in managing distributed, large-scaled network because it does not provide centralized security management facilities. In this paper, we propose a new security model called Role-based Security Management model (RSM) with security management policy to support scalable and centralized security management for SNMP-based networks. Also, the structure and the operation of the security system as well as the efficiency analysis of RSM in terms of security management are also described.

정책기반 통신망관리 시스템은 다양한 사용자의 요구에 부응하고 대형화, 분산화되는 통신망의 효과적인 관리에 적합한 아키텍처이다. 이 시스템에서의 통신망 관리자는 각 통신망 구성요소에 대한 직접적인 동작설정 대신 미리 설정한 규칙에 따라 통신망 구성요소나 서비스의 동작을 결정하게 된다. 한편, 융통성있는 통신망 관리 프레임워크를 제시한 SNMPv3는 인증, 암호화, 접근통제 등의 보안서비스를 제공함으로써, 이전 SNMP 버전들이 제공하지 못했던 안전한 통신망 관리를 위한 기반기술을 제공하고 있다. 그러나, SNMPv3의 개선된 보안서비스에도 불구하고 통신망 관리자별로 인증과 암호화 과정에 이용되는 보안정보가 관리되고, 보안정보가 통신망 구성요소에 분산되어 있어 중앙집중방식의 체계적인 보안관리기능이 제공되지 않아 여러 관리자에 의해 운영되는 대규모 통신망을 효과적으로 관리하는데 부적합한 문제점을 가지고 있다. 본 논문에서는 중앙집중방식의 규모확장성과 통신망 보안관리기능을 제공하기 위해 보안관리정책을 지원하는 역할기반 보안관리 모델을 제시하고, 이를 추가한 SNMPv3의 확장된 보안시스템의 구조, 동작절차 및 보안관리 관점에서의 효율성 분석에 대해 기술한다.

Keywords

References

  1. 신영석, 정책기반의 보안 네트워크 구조, NETSEC-KR2001, April, 2001
  2. Wang Changkun, 'Policy-based Network Management,' Communication Technology Proceedings, 2000 https://doi.org/10.1109/ICCT.2000.889177
  3. Policy Framework Core Information Model, draft-ietf-policy-core-info-schema-02.txt, Internet Draft, February 1999
  4. The COPS(Common Open Policy Service) Protocol, draft-ietf-rap-cops-06.txt, Internet Draft, February 1999
  5. Policy Framework, draft-ietf policy-framework00.txt, Internet Draft, September 1999
  6. Policy Framework Core Information Model, draft-ietf-policy-core-info-model-02.txt. Internet Draft, October 1999
  7. Requirements for a Policy Management System, draft-ietf-policy-req-02.txt. November, 2000
  8. Policy QoS Information Model, Draft-ietf-policy-qos-info-model-03.txt, April, 2001
  9. Information Model for Describing Network Device QoS Datapath Mechanisms, draft-ietf-policy-qos-device-info-model-04.txt, June, 2001
  10. David F. Ferraiolo, Janet A. Cugini, O. Hichard Kuhn, 'Role-Based Access Control(RBAC) : Features and Motivations,' Proceedings of the 11th Annual Computer Security Applications Conferences, December 1995, pp. 241-248
  11. Warwick Ford, Computer Communications Security : Principles, Standard Protocols and Techniques, Prentice Hall. 1994
  12. Ashfaq Hossain, Houshing F. Shu, Charles E. Gasman, Randolph A. Hoyer, 'Policy-based Network Load Management,' Bell Labs Technical Journal, October- December, 1999 https://doi.org/10.1002/bltj.2193
  13. A Prime on Policy-based Network Management, Open View Network Management Division, Hewlett-Packard Company, September 1999
  14. Thomas Koch, Christoph Krell, Bernd Kramer, 'Policy Definition Language for Automated Management of Distributed Systems,' Proceedings of 2nd IEEE International Workshop on Systems Management, 1996 https://doi.org/10.1109/IWSM.1996.534147
  15. HyungHyo Lee, DongIk Lee, BongNam Noh, 'Policy based Security Management in SNMPv3 : Role based Approach,' Workshop on Information Security Applications, November, 2000
  16. Jorge Lobo, Randeep Bhatia, Shamin Naqvi, 'A Policy Description Language,' Proceedings of AAAI99, 1999
  17. Masullo, M., Calo , S., 'Policy Management : An Architecture and Approach,' Proceedings of the 1st International Workshop on System Management, April, 1993 https://doi.org/10.1109/IWSM.1993.315293
  18. MG-SOFT, http://www.mg-soft.com/mgMibBrowserPE.html, 2001
  19. Moffet, J. D., Sloman, M., 'Policy Hierarchies for Distributed Systems Management,' IEEE JSAC Special Issue on Network Management, Vol.11, No.9, December 1994 https://doi.org/10.1109/49.257932
  20. The NET-SNMP Home Page, http://net-snmp.sourceforge.net, 2001
  21. Rajan, R., Chiu, A., Civanlar, S., 'A Policy based Approach for QoS on-demand over the Internet,' Proceedings of the 8th International Workshop on Quality of Service, 2000 https://doi.org/10.1109/IWQOS.2000.847950
  22. RFC 1902, Structure of Management Information for Version 2 of the Simple Network Management Protocol, January, 1996
  23. RFC 2571, An Architecture for Describing SNMP Management Frameworks, May, 1999
  24. RFC 2572, Message Processing and Dispatching for the Simple Network Management Protocol(SNMP), May 1999
  25. RFC 2574, User-based Security Model (USM) for version:3 of the Simple Network Management Protocol (SNMPv3), April 1999
  26. RFC 2575, View-based Security Model (VACM) for the Simple Network Management Protocol(SNMP), April 1999
  27. Ravi S. Sanhdu, Pierangela Samarati, 'Access Control: Principle and Practice,' IEEE Computer, September 1994, pp.40-48 https://doi.org/10.1109/35.312842
  28. Susan J, Shepard, 'Policy-Based Networks: Hype and Hope, IT Pro,' January-February 2000 https://doi.org/10.1109/6294.819933
  29. Morris Sloman, Network and Distributed Systems Management, Addison-Wesley, 1994
  30. Morris Sloman, Emil Lupu. 'Policy Specification for Programmable Networks,' Proceedings of the 1st International Working Conference on Active Networks(IWAN '99), June, 1999
  31. OpenSSL Home Page, http://www.openssl.org, 2001
  32. Stallings, W. SNMP, SNMPv2, SNMPv3 and RMON1 and RMON2, Third Edition, Addison-Wesley, 1998
  33. Mani Subramanian, Network Management: Principles and Practice, Addison Wesley, 2000
  34. Wies, R, 'Using a Classification of Management Policies for Policy Specification and Policy Transformation,' Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, May, 1995